[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-dev
Subject: [gentoo-dev] Review for patch to pax-utils.eclass
From: "Anthony G. Basile" <blueness () gentoo ! org>
Date: 2016-08-27 0:22:55
Message-ID: 8b4e0241-79b2-a788-5189-af67d16d03d0 () gentoo ! org
[Download RAW message or body]
I'd like to commit the following change to the pax-utils.eclass to
address bug #590422. I'm submitting it to the list for review.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
["pax-utils-safe-paxctl.patch" (text/plain)]
commit 6dcad31d0a6558eb70f5c46689fe4d4246d80bb1
Author: Anthony G. Basile <blueness@gentoo.org>
Date: Fri Aug 26 20:02:44 2016 -0400
pax-utils.eclass: do not attempt to create/convert a PT_PAX_FLAGS program header
Support for the creation of PT_PAX_FLAGS program headers in ELF objects is being
dropped in >=sys-devel/binutils-2.26.1. Running paxctl -C or -c either to create
a PT_PAX_FLAGS header or to convert a PT_GNU_STACK header on such ELF objects
results in broken executables. For backwards compatibility we continue to \
support PT_PAX_FLAGS markings with paxctl but remove these unsafe methods from the \
eclass.
Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=590422
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 9ed1170..386a7f6 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
@@ -6,8 +6,8 @@
# @MAINTAINER:
# The Gentoo Linux Hardened Team <hardened@gentoo.org>
# @AUTHOR:
-# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
-# Modifications for bugs #365825, #431092, #520198, @ ECLASS markup: Anthony G. \
Basile <blueness@gentoo.org> +# Author: Kevin F. Quinn <kevquinn@gentoo.org>
+# Author: Anthony G. Basile <blueness@gentoo.org>
# @BLURB: functions to provide PaX markings for hardened kernels
# @DESCRIPTION:
#
@@ -82,11 +82,9 @@ pax-mark() {
einfo "PT_PAX marking -${flags} ${f} with paxctl"
# First, try modifying the existing PAX_FLAGS header.
paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue
- # Second, try creating a PT_PAX header (works on ET_EXEC).
- # Even though this is less safe, most exes need it. #463170
- paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
- # Third, try stealing the (unused under PaX) PT_GNU_STACK header
- paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
+ # We no longer try to create or convert a PT_PAX header, bug #590422
+ # paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
+ # paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
fi
# Next try paxctl-ng -> this will not create/convert any program headers.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic